News about linux, computer, computer science, mathematics and white hot chocolate, the most beautiful drink in this world.

Wednesday, February 13, 2013

Chinese hackers attacked New York Times computers for four months

That's not a first: opponents to non-democratic regimes being harassed because they revealed something nasty. This story is no different.

The NY Times published an article about China's leader, Wen Jiabao, and some possible financial "indelicacies" of his family.

The Chinese government informed the NY Times that there will be "consequences" to the article. And there were.

The attack apparently started on September 13, 2012. The initial vector seems to be a spear phishing attack, which lead to systems being compromised and remote access tools installed. On October 25 ,2012, AT&T informed the company that "suspicious communications were spotted." This puts the detection time to about a month, not a very long time in the APT world.

Mandiant was mandated to investigate the breach, and found that the attack was consistent with others perpetrated by Chinese hackers associated with the Chinese military. China has always either denied or refused to comment on such attacks.

The most likely goal of the attack was to find who told to the reporters, possibly for further "actions."

In at least two cases, the antivirus provided by Symantec failed to detect the malware. Which is normal. An AV is only one component in a line of complex defenses, and relying solely on it is akin to just decide that your immune system is enough to cope with all the dirt you may find in the world, and ditch hospitals, doctors and hygiene.

In the NYTimes case, in addition to the AV and, most likely, other tools, the provider was involved into monitoring the activity. Which paid off: AT&T detected the "strange activity" which led to the discovery of the malware.